CIS 5371 Cryptography Home Assignment 3 –with answers Due: At the beginning of the class on February 25, 2016 Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography. 1. Let G be a pseudorandom generator where |G(s)| > 2|s|. Take s = s1 · · · sn , and for simplicity, n even. def (a) Define G0 (s) = G(s0|s| ). Is G0 necessarily a pseudorandom generator? Answer. Note that |G0 (s)| > 4|s|, and by repeating the process: |G00 (s)| > 8|s| for inputs of type s0|s| 02|s| , and so on, eventually getting |G(n) (s)| > 2n+1 |s|: so output lengths that are unbounded in terms of |s|. So, not true. To prove this observe that although G is pseudorandom for random inputs 1 , the probability of an input of type s0|s| is in {0, 1}2|s| , for which the probability is 22|s| 1 only 2|s| . So inputs of this type are not random and therefore the output need not be pseudorandom. def (b) Define G0 (s) = G(s1 · · · sn/2 ), where s = s1 · · · sn . Is G0 necessarily a pseudorandom generator? Answer. Yes. Let |G(s)| = |`(n) and def ε(n) = |Prr←{0,1}`(n) [D(r) = 1] − Prs←{0,1}n [D(G0 (s)) = 1]|, for a probabilistic polynomial-time distinguisher D. By definition of G0 we have: Prs←{0,1}n/2 [D(G0 (s)) = 1] = Prs←{0,1}n/2 [D(G(s1 · · · sn/2 · 0n/2 )) = 1], and thus |Prr←{0,1}`(n) [D(r) = 1] − Prs←{0,1}n/2 [D(G(s1 · · · sn/2 · 0n/2 )) = 1]| = ε(n) = ε0 (n/2), def where ε0 (n) = ε(2n). Since ε0 must be negligible, we conclude that ε is negligible. 2. Let G be a pseudorandom generator and define G0 (s) to be the output of G truncated to n bits (where n = |s|). Prove that the function Fk (x) = G0 (k) ⊕ x is not pseudorandom. Answer. Consider a distinguisher D that is given oracle access either to a function f that is truly random, or Fk as defined above for a uniform choice of k. The distinguisher D queries the oracle with (any) two distinct inputs x and x0 of length n, and gets the responses y and y 0 . D then outputs 1 if and only if x ⊕ x0 = y ⊕ y 0 . When D is given oracle access to Fk , we have that y ⊕ y 0 = Fk (x) ⊕ Fk (x0 ) = G0 (k) ⊕ x ⊕ G0 (k) ⊕ x0 = x ⊕ x0 , regardless of the exact choice of k. In contrast, for a random function f , the probability that y ⊕ y 0 = x ⊕ x0 is exactly 2−n . Therefore, Pr[Df (·) (1n ) = 1] = 2−n . So Pr[DFk (·) (1n ) = 1] − Pr[Df (·) (1n ) = 1] ≥ 1 − 21n . 3. Present a construction of a variable output-length pseudorandom generator from any pseudorandom function. Prove that your construction satisfies Definition 3.17. Answer. Let F be a pseudorandom function mapping n-bit inputs to n-bit outputs. Define Fk [`] to be the series Fk (0), Fk (1), . . . truncated to exactly ` bits (there are 2n possible inputs to F and thus Fk [`] is well-defined for any ` ≤ 2n ). Define G(s, 1` ) = Fs [`]. Definition 3.17 requires that the ouput length of of G is `, which it is. Also ` < `0 implies that G(s, 1` ) is a 0 prefix of G(s, 1` ). It is easy to prove that G` is a pseudorandom generator for any polynomial `, by a straightforward reduction to the pseudorandomness of F . Finally the expansion rate is ` since the output of G has length |s| · `. Mike Burmester 1